CVE-2022-3602

X.509 Email Address 4-byte Buffer Overflow

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Puede activarse una saturación del búfer en la verificación del certificado X.509, específicamente en la verificación de restricciones en el nombre. Tenga en cuenta que esto ocurre después de la verificación de la firma de la cadena de certificados y requiere que una CA haya firmado el certificado malicioso o que la aplicación continúe con la verificación del certificado a pesar de no poder construir una ruta a un emisor confiable. Un atacante puede crear una dirección de correo electrónico maliciosa para desbordar cuatro bytes en la pila de memoria controlados por el atacante. Este desbordamiento del búfer podría provocar un bloqueo (provocando una denegación de servicio) o una potencial ejecución remota de código. Muchas plataformas implementan protecciones contra el desbordamiento de la pila de memoria que mitigarían el riesgo de ejecución remota de código. El riesgo puede mitigarse, aún más, según el diseño de la pila de memoria para cualquier plataforma/compilador determinado. Los anuncios previos de CVE-2022-3602 describieron este problema como CRÍTICO. Un análisis más detallado basado en algunos de los factores mitigantes descritos anteriormente ha llevado a que esto se rebaje a ALTO. Aún se recomienda a los usuarios que actualicen a una nueva versión lo antes posible. En un cliente TLS, esto se puede desencadenar conectándose a un servidor malicioso. En un servidor TLS, esto se puede activar si el servidor solicita la autenticación del cliente y se conecta un cliente malintencionado. Corregido en OpenSSL 3.0.7 (Afectado 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

A stack-based buffer overflow was found in the way OpenSSL processes X.509 certificates with a specially crafted email address field. This issue could cause a server or a client application compiled with OpenSSL to crash when trying to process the malicious certificate.

*Credits: Polar Bear

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-19 CVE Reserved
2022-11-01 CVE Published
2022-11-01 First Exploit
2024-08-03 CVE Updated
2024-10-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-121: Stack-based Buffer Overflow
CWE-787: Out-of-bounds Write

CAPEC

References (47)

URL	Tag	Source
http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/11/01/15	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/16	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/17	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/18	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/19	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/20	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/21	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/01/24	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/1	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/10	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/11	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/12	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/13	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/14	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/15	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/2	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/3	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/5	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/6	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/7	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/02/9	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/1	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/10	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/11	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/2	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/3	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/5	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/6	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/7	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/03/9	Mailing List
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3	Broken Link
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023	Third Party Advisory
https://security.netapp.com/advisory/ntap-20221102-0001	Third Party Advisory
https://www.kb.cert.org/vuls/id/794340	Third Party Advisory

URL	Date	SRC
https://github.com/colmmacc/CVE-2022-3602	2022-11-01
https://github.com/eatscrayon/CVE-2022-3602-poc	2022-11-01
https://github.com/corelight/CVE-2022-3602	2022-11-24
https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786	2022-11-09

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S	2023-08-08
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS	2023-08-08
https://security.gentoo.org/glsa/202211-01	2023-08-08
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a	2023-08-08
https://www.openssl.org/news/secadv/20221101.txt	2023-08-08
https://access.redhat.com/security/cve/CVE-2022-3602	2022-11-02
https://bugzilla.redhat.com/show_bug.cgi?id=2137723	2022-11-02
https://access.redhat.com/security/vulnerabilities/RHSB-2022-004	2022-11-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 3.0.0 < 3.0.7 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 < 3.0.7"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				26 Search vendor "Fedoraproject" for product "Fedora" and version "26"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				27 Search vendor "Fedoraproject" for product "Fedora" and version "27"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 18.0.0 < 18.11.0 Search vendor "Nodejs" for product "Node.js" and version " >= 18.0.0 < 18.11.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				18.12.0 Search vendor "Nodejs" for product "Node.js" and version "18.12.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				19.0.0 Search vendor "Nodejs" for product "Node.js" and version "19.0.0"		-		Affected